It is not possible to directly connect Ory Oathkeeper to SpiceDB. This adapter allows you to do so.
Oathkeeper relies on the http response code from the authorization server (200 OK, 403 Forbidden). The SpiceDB HTTP server does not return the permissions state with the HTTP Response code, but does so in the body of the response.
Go to the release page and download the binary for your platform.
For example, on Linux:
curl -L https://github.com/EgorHenek/go-oathkeeper-spicedb-adapter/releases/download/v1.0.1/adapter_1.0.1_linux_amd64 -o go-oathkeeper-spicedb-adapter
chmod +x go-oathkeeper-spicedb-adapterand run:
./go-oathkeeper-spicedb-adapterdocker pull henek/go-oathkeeper-spicedb-adapter:latest
docker run -p 50150:50150 --name osadapter -e SPICE_DB_URL=http://spicedb:50051 -e SPICE_DB_SECRET=topsecret henek/go-oathkeeper-spicedb-adapterNote: Don't use the latest tag in a production environment.
You can see an example environment deployment in the /deployments directory.
curl -i -X POST --json '{"resource": {"object_type": "beer", "object_id": "1"}, "permission": "drink", "subject": {"object": {"object_type": "user", "object_id": "1"}}}' http://localhost:50150/permissions/checkHTTP/1.1 403 Forbidden
Content-Type: application/json
Date: Mon, 21 Aug 2023 06:24:31 GMT
Content-Length: 18An example of integrating the adapter into oathkeeper for the whoami service can be seen in the deployments.
| Name | Default | Description |
|---|---|---|
| PORT | 50150 | Port to listen on |
| SPICE_DB_SECRET | (required) GRPC preshared key for the SpiceDB instance | |
| SPICE_DB_URL | (required) URL to the SpiceDB instance. Example: localhost:50051 | |
| TLS_CERT_PATH | empty | (optional) Path to a TLS certificate files. If this value is empty, an unencrypted connection will be used. Example: /mnt/tls/ca.crt,/mnt/tls/tls.crt |